Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-759

JASPIServerAuthenticationManager.isValid method should log configuration problems at WARN or ERROR level

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Done
    • Icon: Major Major
    • 2.0.3.Beta2
    • PicketBox_4_0_20.Beta1
    • JBossSX
    • None

      As reported by Josef Cacek:

      All fatal exception are swallowed in JASPIServerAuthenticationManager.isValid() method.

      // PicketBox 4.0.9 used in EAP 6.0.0 - TRACE level
      catch(AuthException ae)
      {
         if(trace)
            log.trace("AuthException:",ae);
      }
// PicketBox 4.0.14 - DEBUG level
      catch(AuthException ae)
      {
          PicketBoxLogger.LOGGER.debugIgnoredException(ae);
      }

      It includes configuration errors, which should absolutely be visible on ERROR log level or another relevant level.

      We need to make sure to use ERROR log if the user-defined module cannot be found for instance.

              sguilhen Stefan Guilhen
              sguilhen Stefan Guilhen
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: